Kristin Tarr
David Zakur
Tom Paseka
CloudFlare Team
Matthew Prince
Michelle Zatlyn
Damon Billian
John Roberts
Kevin Wilson
John Graham-Cumming
Dane Knecht
The United States House of Representatives is considering the Stop Online Piracy Act, known as SOPA. Companies including Google, Zynga, Facebook, Yahoo, AOL, and Mozilla, along with organizations like the Electronic Frontier Foundation (EFF) have been sharply critical of the law. At CloudFlare, we share these concerns but see another significant risk: that SOPA's proposed restrictions could be used to launch a new form of denial of service attack against which I'm not sure we will be able to defend.
The Status Quo
There is no denying that the Internet creates new challenges for content creators. We see this first hand. CloudFlare's users are content creators. Every day they publish unique content and are deeply concerned when that content is used without their permission. We spend significant time building technologies, such as tools to prevent content scraping bots, in order to help publishers keep their content from being stolen.
At CloudFlare we also receive requests from content owners alleging one of our users has published their content without their permission. While CloudFlare is not a hosting provider, we do sit as a network provider in front of websites in order to make them faster and shield them from attack. The Digital Millennium Copyright Act, known as the DMCA, contemplates network providers like CloudFlare and generally outlines the procedures we take to reveal the actual host of a website when we are contacted by a copyright holder with a valid complaint.
Abusing the DMCA
We've been seeing a disturbing trend recently. Increasingly, we're receiving purported DMCA requests that ask us to identify website hosts that are actually from attackers abusing the legal code. If we reveal the requested information, attacks are launched directly at those hosts, bypassing CloudFlare's protections and knocking legitimate sites offline. Initially, these requests were relatively easy to spot. When we recognized the new attack method, we changed our policies and trained our customer support team to more carefully screen DMCA requests. Increasingly, however, the requests are becoming more sophisticated and difficult to detect.
Imagine the challenge for someone on CloudFlare's support team. If someone writes to us alleging that they are a photographer who took a picture that appears on a website, or a designer who drew a logo, or an author who wrote some text, how can that claim be verified? I'm an attorney and member of the bar. I teach a course on intellectual property and technology law at the John Marshall Law School. I serve on the Board of the Center for Information Technology and Privacy Law. I've reviewed many of these requests and, even with my training in the subject, I have no idea how to effectively and efficiently tell the difference between valid and invalid complaints.
In an Internet without bad guys, the consequences of revealing a host's information is relatively minimal. Unfortunately, the Internet is full of bad guys. There has been a steady rise in attacks, increasingly affecting legitimate small businesses and ecommerce sites. These attacks have been part of why more than 100,000 websites have sought shelter behind CloudFlare in just the last 12 months. We offer great technical protections to shield sites from attack, but I'm concerned some of our efforts could be undermined by new laws like SOPA.
SOPA: Enabling a Purely Legal DDoS
CloudFlare's policy under the DMCA is to reveal information about the origin host when we receive a valid copyright complaint. If we make a mistake and reveal the origin host to a bad guy, then the bad guy still needs the technical acumen to launch a DDoS attack. What's concerning to me about SOPA is it could remove the technical requirement and effectively streamline DDoS attacks.
SOPA, as it is currently written, requires network service providers like CloudFlare to stop resolving DNS for sites that are alleged copyright violators. The allegation merely needs to include some reasonable evidence. In other words, a carefully crafted letter, or forged subpoena, could be all it takes for a future attacker to knock a site offline. No botnet needed, just a passable mastery of legalese.
While it is important to acknowledge the need for copyright protections online and to provide systems to protect content creators, new laws designed to uphold those protections need to be carefully crafted so as to not create substantial new security risks. Writing bad computer code has always provided a vector for attacks. I'm increasingly concerned that writing bad legal code, like SOPA, will provide a similar vector.
If you're in the US, follow this link to the EFF's site. From there, it takes less than a minute to send a message to your legislators to tell them SOPA is a bad idea.
Comments (10)
http://vimeo.com/31100268
I just hope they do not allow this to happen.
I'm not by any means claiming we've stolen copyrighted material, which we don't, but it seems to me that everyone will be free to proclaim or accuse another from copyright violations and so, put the site in a kind of blacklist, as the law itself it's not quite explicit in some matters, at least not clearly. I truly hope it doesn't come through, otherwise we'll have the USA following (eventually) the same status on prohibition as we do see and witness in North Korea, China (Communist Regime) and Japan in which sites as YouTube, Facebook, Twitter and other networks (Hi5 for instance) have either limited access or are banned at all from public access, be it at home, office, or at any cyber place.
Honestly speaking, I don't quite follow the general idea as it will only make people "fear to use" any US community or even try to indulge into any activity, be it social or professional, without wondering if there's none of those so called "controls" looking over their shoulders. In one way or another I ask myself what happened to the Fifth Emend?
I think that in general, their major concern is in fact, illegal downloads. The public sharing of audio, visual, software or web ware material that everyday pops up in the internet practically at the very same time it hits the stores. They could block those sites and leave the remaining alone, but we all know that since 2005, most web sites with illegal downloads are avoiding been hosted by US based hosting providers, seeking elsewhere, for instance Germany and The Netherlands allow sharing web sites to freely distribute and even host their downloads in their own hosting accounts. There's 100's if not 1000's of on-line streaming radios that in one way or another, don't pay royalties to the controlling Artists Rights Associations, those are also a concern.
I've gone a bit far on this comment, my apologies. But I truly believe that to control all those activities aforementioned, it all must start with the Hosting Providers and not a law imposed by a group of Politicians that not even (I presume) have the slightest clue of what PHP is or how hard is to keep up a good site on-line with great content, how many effort site owners and staff have to deploy into it to make sure it becomes recognizable for its shape, visual, functionality, content and reputation.
http://www.youtube.com/watch?v=5YpG39c-XVA
Leave a comment...